Re: [GLLUG] meeting idea?

Wed Aug 23 10:42:50 EDT 2006

Right but won't they want to take the server back home to 'fix it up' much like the Grinch??

So yes, it seems many people have opinions on this subject.  So is it a good meeting idea or no?  It seems we may be able to throw together a process manual or howto on the subject if we could agree with the methodology.

Benjamin Cathey
System Administrator
Cathey Company
4917 Tranter St.
Lansing, MI 48910 USA
Phone:     517.393.4720
Fax:       517.393.4225
Toll Free: 800.333.1972
"Service is Our Profession"

----- Original Message -----
From: Jim Fick [mailto:jfick at mphi.org]
To:
benjamincathey at catheycompany.com
Sent: Wed, 23 Aug 2006 09:55:13
-0400
Subject: Re: [GLLUG] meeting idea?

>->> Local law inforcement, they will contact fbi.
>->> 
>->> --------------------------
>->> Sent from my BlackBerry Wireless Device
>->> 
>->> 
>->> ----- Original Message -----
>->> From: linux-user-bounces at egr.msu.edu <linux-user-bounces at egr.msu.edu>
>->> To: Thomas Hruska <thruska at cubiclesoft.com>
>->> Cc: linux-user at egr.msu.edu <linux-user at egr.msu.edu>
>->> Sent: Tue Aug 22 17:55:34 2006
>->> Subject: Re: [GLLUG] meeting idea?
>->> 
>->> >->> > The recent discussion about the putty titlebar gave me an idea.  How
>->> about
>->> >->> a "So you've been hacked - how to deal with it" meeting?  Topics like
>->> how to
>->> >->> detect you have a problem and what to do about the problem.
>->> >->> > 
>->> >->> > I know this can be a tricky subject.  When I started my new job here
>->> the
>->> >->> first thing I had to do was reload the mailserver.  It had been hacked
>->> (they
>->> >->> left traces in the .bash_history) and I didn't know what else to do but
>->> >->> reload.  
>->> >->> 
>->> >->> That was the smart course of action (if not brilliant) if that is all 
>->> >->> you knew how to do at the time.  Now that you've had more experience
>->> you 
>->> >->> might be able to dig down into the system and trace what actually 
>->> >->> happened before reinstalling the OS and thus you could close off the 
>->> >->> open security hole (could have just been old, buggy software and an 
>->> >->> upgrade to newer [buggy] software closed the open hole - or the
>->> security 
>->> >->> hole might still exist in, say, the firewall).
>->> 
>->> 
>->> Right, the problem was that there was NO firewall setup.  Ridiculous I know
>->> but that is what happens when people who don't really know anything about
>->> linux setup a mailserver.  When I started I couldn't believe that they
>->> didn't have ANYTHING protecting them.
>->> 
>->> At that point I did disconnect it from the network.  
>->> 
>->> Someone was able to guess the password for the root account (i was able to
>->> trace quite a bit back.)  From there they installed software on the server
>->> which was trying brute force attacks on a specified IP range and then
>->> someone was coming in to get the data.  It was scary to look at all that
>->> info.  I didn't really know WHO to contact to give the log files to (and all
>->> the netstat and other INFO I got.)  I figured SOMEONE should be told it was
>->> going on.
>->> 
>->> 
>->> -Benjamin
>->> 
>->> **********************
>->> ** LEGAL DISCLAIMER **
>->> **********************
>->> 
>->> This E-mail message and any attachments may contain legally privileged,
>->> confidential or proprietary information. If you are not the intended
>->> recipient(s), or the employee or agent responsible for delivery of this
>->> message to the intended recipient(s), you are hereby notified that any
>->> dissemination, distribution or copying of this E-mail message is strictly
>->> prohibited. If you have received this message in error, please immediately
>->> notify the sender and delete this E-mail message from your computer. 
>->> 
>->> 
>->> _______________________________________________
>->> linux-user mailing list
>->> linux-user at egr.msu.edu
>->> http://mailman.egr.msu.edu/mailman/listinfo/linux-user
>->> 

**********************
** LEGAL DISCLAIMER **
**********************

This E-mail message and any attachments may contain legally privileged, confidential or proprietary information. If you are not the intended recipient(s), or the employee or agent responsible for delivery of this message to the intended recipient(s), you are hereby notified that any dissemination, distribution or copying of this E-mail message is strictly prohibited. If you have received this message in error, please immediately notify the sender and delete this E-mail message from your computer. 